On 5/1/2009 4:52 PM, Jesse Thompson wrote:
Yet Another Ninja wrote:
I'm trying hard to convince myself this data is really useful.
the whole
http://anti-phishing-email-reply.googlecode.com/svn/trunk/phishing_reply_addresses
file has 4518 entries, including vintage 2008
compared to the big_boyz my trap feed is quite small and I collected
1598 entries during the last 4 hrs
Hello Yet Another Ninja,
"big_boyz": as in a small collection of university postmasters? I guess
we should be honored, but I have a feeling that you were being
condescending.
Feel as you please.
I manage a relatively small trap space compared to some of the players
here, so I meant what I said. Traps never correlate to a number of
specific rcpt addresses, only.
If you are the opposite of a "big_boy", that must mean that your domain
is smaller than a large university's, so you must have less than, say,
50,000 unique active users.
I'm definitely smaller, that doesn't mean that trap traffic can't be
huge. Traps aren't active - they sit there and get hammered.
Are you truly saying that every 4 hours you
have 1598 unique (as in the reply-to is unique) phishing attempts, in
which the phisher asks one of your users to reply with their credentials?
nope - I'm collecting generic drop boxes type of stuff and not specific
phishes for a specific group.
these include phishes, lotto scams, etc using specific domains. (not
rcpt domains)
If what you are saying is true, then you are standing on a gold mine.
Would you mind contributing to the project?
every school, corp,ISP, soho server, etc is standing on a similar gold
mine, I'm not re-inventing the wheel.
Only little drawback is how to centralize (or not) all this gold to make
it useful to more than me and my dog.
Until I have some minimal metrics I can't say.
As for the vintage of the addresses. No, I don't have metrics. But
most of the addresses are in the freemail domains, and we have no
indication that the freemail providers are shutting down this type of
account. I don't mind scanning logs for, or blocking mail to, the "old"
addresses. But we do include the date (however accurate it is) so you
can choose to filter the list any way you desire.
no need to got thru that trouble - you guys know its value, once apps
are here to test the data, then others outside your space will report,
I'm sure.
We have different targets. I misunderstood APER's
this is all work in progress so keep tuned....
Axb
